Phishing – Don’t Get Caught During COVID-19

Phishing – Don’t Get Caught During COVID-19

Cybercriminals are seeking to exploit COVID-19 to target companies and individuals. The World Economic Forum has issued a notice that attackers are using COVID-19-themed phishing e-mails, which purport to deliver official information on the virus, to lure individuals to click malicious links that download Remote Administration Tools (RATs) on their devices. Further, the Forum is advising that there are more than 100,000 new COVID-19 web domains, which should be treated with suspicion, even though not all of them are malicious. Caution is warranted.

What is Phishing?

Phishing is an attempt to get sensitive information such as a username, password, credit card information, etc. from an unsuspecting individual for malicious purposes.

Most often a phisher will send numerous emails that look like they are coming from a legitimate source, even to the extent of including things like the logo of your bank for example. Quite often, a phishing attack will request the user to take action to respond to what might look like an urgent situation, perhaps for example, unusual activity on your bank account. You may be asked for personal or sensitive information or directed to a spoofed website that looks very legitimate but is not, where you will be prompted to provide sensitive or personal information.

There are various types of phishing attacks. A regular phishing attack involves sending many emails to a non-targeted group, casting a wide net in the hope that a number of recipients will respond.

Spear phishing is targeted to a specific group. Such attacks are often addressed in a more personal way, for example directly to you and often are disguised to look like they came from a familiar source.

Whaling attacks target high level executives and like spear phishing, such attacks often appear to come from a legitimate and familiar source.

Why Should You be Concerned?

You should be concerned about phishing because you are at risk. According to the 2019 State of Cybersecurity report from ISACA, phishing topped the list of common attack types.

With phishing attacks, you are also at risk from Ransomware. Trend Micro reported a 77 percent surge in ransomware attacks during the first half of 2019.

How Successful are Phishing Attacks?

Nobody can know for certain how successful phishing attacks really are, but the risk should not be ignored. Although somewhat dated, statistics from the 2016 Verizon Data Breach Investigations Report indicated that 30% of Phishing emails are opened soon after receipt and about 12% of recipients go on to click on links or attachments.

What Should You Watch For

Some example of things you should watch for to avoid falling victim to a phishing attack include the following:

Generic looking requests for information that are not specifically addressed to you. Legitimate companies most often address you by your name.

Emails or sites that contain many typos or spelling mistakes – often an indicator of risk for a phishing attack.

Be cautious of email that does not come from the recognized domain of the organization that is purported to have sent it you. For example, notice the difference between these two email addresses: fliska@otusgroup.com which is legitimate and fliska@otusgroup3.com which is not a valid email address.

Be aware of common scams like deactivation threats, friend in need or emails from tech support.

What Should You Do to Manage the Risk

Some steps you can take to manage the risk associated with a phishing attack include:

Education – make sure that members of your organization are aware of what phishing attacks are and common items that they should look out for, such as those noted above.

Avoid submitting information through forms contained in emails.

Do not click on links in an email or download software, or open attachments with an email, even if the email appears to be from a known, trusted source. A safer practice is to enter the URL for the site you want to reach into your browser’s address bar.

Provide sensitive information only if your connection is secured. If a site is secure, you should see “https” before the sites URL.

Francis is a Chartered Professional Accountant, Certified General Accountant, Certified Information Systems Auditor, Certified Internal Control Auditor and a Certified Management Consultant. He holds a degree in Business Administration from Cape Breton University and a Post Graduate Diploma in Applied Information Technology. He has also completed graduate studies in decision analysis at Carleton University.